How to Enable Pass-through Authentication for UNC Virtual Directories

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:


When a user sets up a virtual directory that maps a UNC path to a remote computer, Internet Information Server (IIS) or Internet Information Services (IIS) requests a user name and password to create that link to the remote computer. Any attempt to view the content on the virtual directory uses the credentials of the user that was typed in, even if the user was authenticated by IIS.

You can set up IIS 4.0 or IIS 5.0 to pass the user name and password entered for Basic authentication, and use this pass-through authentication to connect to the remote share. Windows NT Challenge/Response authentication is not supported, because it does not send the password for the UNC connection.

More Information

To set up pass-through authentication, do the following:
  1. Create a UNC virtual directory. Verify that the connection to the remote content works and that browsing to that virtual directory does not return errors.
  2. If you want to use anonymous connections to the computer, do the following:
    1. In the properties for that virtual root, click the Directory Security tab.
    2. Click the Edit button next to Anonymous Access and Authentication Control.
    3. On the Edit button under Allow Anonymous Access, click to uncheck the Enable Automatic Password Synchronization checkbox.
    4. If you do not want Anonymous access, uncheck the box.
  3. Turn on Basic Authentication. Please note that the user's domain name, user name, and password are sent over the network without data encryption. To ensure security, the Web administrator can install SSL on this virtual link to force encryption of the password.
  4. Turn off Windows NT Challenge/Response. NT Challenge/Response authentication does not allow for delegation of user accounts to remote shares. Only Basic Authentication and Anonymous authentication allow for this (Anonymous MUST be set as in step 2).
  5. Open a command prompt, and change to the %systemroot%\System32\Inetsrv\Adminsamples directory. (Note: %systemroot% is usually winnt on most systems).
  6. At the prompt, type the following:
    adsutil set w3svc/#/root/*vdir*/UNCUserName ""
    (where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1)

  7. At the prompt, type the following:
    adsutil set w3svc/#/root/*vdir*/UNCPassword ""
    (where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1)

  8. At the prompt, type the following:
    adsutil set w3svc/#/root/*vdir*/UNCAuthenticationPassThrough TRUE
    (where # is the number of the Web site, and *vdir* is the name of the virtual directory created in step 1.)

  9. At the prompt, type the following:
    net stop iisadmin /y
  10. At the prompt, type the following:
    net start w3svc
Internet Service Manager will now show this virtual directory as an error. This is normal, because the Internet Service Manager looks for a username and password on a UNC virtual directory, but none exists.

When your users connect and authenticate, the name they type in will be used to connect over the UNC connection to the remote share or content. The Webmaster can now set share-level or NTFS-level permissions, and the user account typed in by the client will be the one used to check against the ACL of these objects.

Note: Any change to this virtual directory in the Internet Service Manager changes the metabase settings above. Therefore, the above steps will need to be performed again.